Framework B.02 · NIST Cybersecurity Framework 2.0

NIST CSF 2.0 - how CyberFortify maps offensive findings to the six functions.

The NIST Cybersecurity Framework (CSF) 2.0 is the most widely adopted general-purpose cybersecurity framework in the world. CyberFortify maps every penetration testing finding to the new six-function structure - Govern, Identify, Protect, Detect, Respond and Recover - so security leaders can read offensive evidence directly into their CSF programme.

Maintainer: NIST Computer Security Resource Center Version: 2.0 (2024) Used in: Federal & private-sector programmes
6
Functions in CSF 2.0
23
Categories
108
Subcategories
NEW
Govern function
CSF 2.0: GV Govern · ID Identify · PR Protect · DE Detect · RS Respond · RC Recover · Implementation Tiers 1-4 · Profiles · Informative References · Quick Start Guides CSF 2.0: GV Govern · ID Identify · PR Protect · DE Detect · RS Respond · RC Recover · Implementation Tiers 1-4 · Profiles · Informative References · Quick Start Guides
// Executive summary

NIST CSF 2.0 introduces the new Govern function alongside the original Identify / Protect / Detect / Respond / Recover model. CyberFortify's network and application pen testing reports map findings to all six functions and the underlying NIST 800-53 control catalogue.

// 01 What NIST CSF 2.0 actually is

// DefinitionNIST CSF 2.0

An outcome-based cybersecurity framework maintained by the US National Institute of Standards and Technology, organised around six top-level functions and twenty-three categories. The 2.0 revision (2024) added Govern as a sixth function and broadened scope explicitly beyond critical infrastructure to all organisations.

CSF 2.0 is voluntary in most contexts but operationally mandatory: it is referenced by federal contracting (FedRAMP, CMMC), regulator guidance, insurance underwriting and enterprise procurement.

The framework is deliberately outcome-driven rather than prescriptive. It does not tell you which firewall to buy. It tells you what capability you must demonstrate - for example, "detection processes are tested" (DE.DP-3 in 1.1, now reorganised in 2.0) - and leaves the implementation choice to the organisation. That is a feature, not a bug. CSF's strength is that it travels well across industries.

// 02 The six functions explained

CSF 2.0 is organised around six functions. CyberFortify maps offensive testing evidence into all of them, but the highest-value mappings are usually PR / DE / RS - the functions a pen test most directly validates.

GVNew in 2.0

Govern

Establish, communicate and monitor cybersecurity strategy, expectations and policy. Includes roles & responsibilities, supply-chain risk, oversight. Pen testing supports GV by producing the evidence governance committees rely on.

IDFoundational

Identify

Asset management, risk assessment, supply-chain inventory. Pen test reconnaissance phase produces unsanctioned-asset evidence (subdomain takeover candidates, forgotten staging environments) directly mappable to ID.AM-2.

PRPen test core

Protect

Access control, awareness, data security, platform security, technology infrastructure resilience. Every CyberFortify finding maps primarily into PR - this is where preventive controls are tested.

DEPen test core

Detect

Continuous monitoring, anomaly & event analysis. CyberFortify's red team service is the highest-fidelity DE evidence source - it tests whether your monitoring actually triggers under realistic adversary tradecraft.

RSPen test relevant

Respond

Incident management, analysis, mitigation, reporting. Purple-team engagements explicitly exercise RS function activities and produce structured evidence on response time, runbook quality and stakeholder communication.

RCRecovery

Recover

Incident recovery plan execution, communications. Tested through tabletop exercises and disaster-recovery drills, often paired with a red-team engagement.

// 03 How CyberFortify maps findings to CSF 2.0

Every CyberFortify web application pen test, network pen test and cloud pen test finding is mapped to a primary CSF 2.0 subcategory plus the relevant NIST 800-53 control reference. Here is how a representative finding looks.

01

Function

Primary CSF function (e.g., PR - Protect).

PR / DE / RS
02

Category

e.g., PR.AA - Identity Management, Authentication and Access Control.

23 categories
03

Subcategory

e.g., PR.AA-03 - Users and processes are uniquely identified and authenticated.

108 subcategories
04

NIST 800-53 reference

e.g., AC-2, IA-2 - the underlying control catalogue federal teams reference directly.

Control catalogue
05

Implementation tier

1 (Partial) - 4 (Adaptive). Recommended target tier per finding category.

Tier 1-4

// 04 Why CSF 2.0 matters in 2026

CSF 2.0 is now the lingua franca of executive-level cybersecurity reporting. Boards and audit committees ask questions in CSF terms ("What is our PR.AC posture?") more often than in framework-specific terms. Pen testing reports that ship with native CSF mapping skip the translation step that historically slowed down board-level remediation discussions.

CSF 2.0 is outcome-based by design. A pen test is the most direct outcome-based evidence you can produce against the Protect and Detect functions - it shows what attackers actually achieve, not what controls are documented.

CyberFortify reporting practice

// 05 Frequently asked questions

Is NIST CSF mandatory?

CSF itself is voluntary in most contexts. However, it is referenced by federal contracting frameworks (FedRAMP, CMMC), regulator guidance (SEC, NYDFS) and insurance underwriting questionnaires - making it operationally mandatory for many organisations.

How does CSF 2.0 differ from CSF 1.1?

The biggest change is the new sixth function, Govern. CSF 1.1 had five functions (ID/PR/DE/RS/RC). CSF 2.0 adds Govern as a top-level function recognising the central role of cybersecurity governance. Scope was also broadened beyond critical infrastructure to all organisations.

Do you also map to NIST 800-53?

Yes. Every CSF subcategory has informative-reference mappings to NIST 800-53 controls; CyberFortify reports include both. This is essential for federal customers and FedRAMP / CMMC environments.

How does CSF relate to ISO 27001?

CSF is outcome-based; ISO 27001 is a management-system standard with a certifiable conformance requirement. Many organisations run both: CSF for executive communication, ISO for the certification their enterprise customers demand.

Want a CSF 2.0-aligned penetration test?

Schedule a 30-minute scoping call. CyberFortify will recommend the right offensive testing service and quote a fixed-price engagement - usually within 48 hours.

Schedule scoping call → Back to CyberFortify home →